Page MenuHomeFreeBSD
Differential D54939

clnt_broadcast(3): don't free function pointers
ClosedPublic
Actions

Authored by brooks on Jan 29 2026, 12:15 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, May 14, 9:38 AM
Unknown Object (File)
Thu, May 14, 3:30 AM
Unknown Object (File)
Thu, May 14, 12:30 AM
Unknown Object (File)
Wed, May 13, 11:37 PM
Unknown Object (File)
Tue, May 12, 3:58 PM
Unknown Object (File)
Mon, May 11, 11:05 PM
Unknown Object (File)
Mon, May 11, 6:49 PM
Unknown Object (File)
Mon, May 11, 1:45 PM
View All 47 Files
Subscribers
imp

Details

Reviewers
rmacklem
glebius
emaste
asomers
jhb
Group Reviewers
cheri
Commits
rG47413f23e503: clnt_broadcast(3): don't free function pointers
Summary

Replace use of thr_getspecific/thr_setspecific to stash the function
pointer we're smuggling between clnt_broadcast and rpc_wrap_bcast with a
simple thread local variable. Clear it after use so the reference
doesn't linger.

In the relatively unlikely event clnt_broadcast was called from threads
that exited prior to program termination, the previous code called free
on a function pointer, which is undefined and might corrupted allocator
state.

Effort: CHERI upstreaming
Sponsored by: DARPA, AFRL

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

brooks created this revision.Jan 29 2026, 12:15 PM
Herald added a subscriber: imp. · View Herald TranscriptJan 29 2026, 12:15 PM
brooks requested review of this revision.Jan 29 2026, 12:15 PM
Herald added a reviewer: cheri. · View Herald TranscriptJan 29 2026, 12:15 PM
Harbormaster completed remote builds in B70205: Diff 170676.Jan 29 2026, 12:15 PM
brooks added a comment.Jan 29 2026, 12:17 PM

Alternatively one could avoid passing free to thr_keycreate, but the complexity of the thr_keycreate approach doesn't seem worth it to save sizeof(void *) of TLS storage.

brooks added a child revision: D54940: clnt_broadcast(3): fix eachresult argument type.Jan 29 2026, 12:17 PM
glebius added a reviewer: jhb.Jan 29 2026, 4:57 PM
glebius accepted this revision.Jan 29 2026, 5:04 PM
This revision is now accepted and ready to land.Jan 29 2026, 5:04 PM
jhb accepted this revision.Feb 2 2026, 3:39 PM

I suspect the old code just predates reliable TLS support in the toolchain so was using the guts of the implementation for pthread_key.

brooks added a comment.Feb 2 2026, 4:46 PM
In D54939#1258282, @jhb wrote:

I suspect the old code just predates reliable TLS support in the toolchain so was using the guts of the implementation for pthread_key.

The old model does have the advantage of not increasing TLS size for code that isn't commonly used. I decided to leave another half dozen or so alone for now as they involved larger structures. There is an argument that we should just convert them since I doubt it will change how many pages we need for TLS.

Closed by commit rG47413f23e503: clnt_broadcast(3): don't free function pointers (authored by brooks). · Explain WhyFeb 2 2026, 9:20 PM
This revision was automatically updated to reflect the committed changes.
brooks added a commit: rG47413f23e503: clnt_broadcast(3): don't free function pointers.

Revision Contents
Changeset List

PathSize
lib/
libc/
rpc/
35 lines

Diff 171018

View Options

lib/libc/rpc/rpc_soc.c

Loading...